Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update OIDC configuration UI #16935

Merged
merged 41 commits into from
Oct 22, 2024
Merged

Update OIDC configuration UI #16935

merged 41 commits into from
Oct 22, 2024

Conversation

ba1ash
Copy link
Member

@ba1ash ba1ash commented Oct 11, 2024
edited by oliverguenther
Loading

Ticket

https://community.openproject.org/wp/57677
https://community.openproject.org/wp/58437
https://community.openproject.org/wp/58451

Screenshots

Sign in screen.

image

OIDC providers table.

image

Custom form

Peek.2024-10-14.15-45.mp4

Google and Microsoft Entra form

Peek.2024-10-14.16-33.mp4

What approach did you choose and why?

Create new UI to configure OIDC providers.

TODO:

  • Create db migration for migrating existing OIDC configurations stored in the database: Setting.plugin_openproject_openid_connect.
  • Migrate OIDC providers configured through env variables with modules/openid_connect/app/seeders/env_data/openid_connect/provider_seeder.rb. Accessible through Setting.seed_openid_connect_provider. Env alias is: OPENPROJECT_OPENID__CONNECT
  • Store OIDC providers data in auth_providers table. Use OpenIDConnect::Provider model to manipulate it. This model is used to work with three types of OIDC providers: Google, Entra, Custom. OpenIDConnect::Provider#oidc_provider is used for distinguishing between them.
  • Add new multi-step UI to configure Google, Entra, Custom providers.
  • Send request to discovery endpoints to get providers metadata. Done in modules/openid_connect/app/services/openid_connect/providers/update_service.rb. The request is done for all three types, but UI allows to fill it in only for Custom case. For Google the URL is static. For Microsoft it is derived from tenant.
  • Update existing specs.
  • Add a feature spec.
  • Add support for claims and acr_values
  • Add support for attribute_map parameter.
    See https://www.openproject.org/docs/installation-and-operations/misc/custom-openid-connect-providers/#attribute-mapping for env variable usage example.
    It is used here, for example: https://github.com/opf/openproject/blob/dev/app/services/authentication/omniauth_service.rb#L263.
    Rough plan:
    • Save attributes_map to OpenIDConnect::Provider
    • Add additional step to Custom form to support mapping. SAML forms support that. Can be something similar.
    • Make sure it is migrated properly in modules/openid_connect/app/services/openid_connect/sync_service.rb which is used in the migration and seeder.
    • Add it to OpenIDConnect::Provider#to_h and make sure it is available in appropriate OmniAuth::OpenIDConnect::Provider instance returned by OpenProject::OpenIDConnect.providers.

@ba1ash ba1ash force-pushed the feature/57677-oidc-ui branch 10 times, most recently from 4082d8e to 7738bb7 Compare October 14, 2024 13:58
@ba1ash ba1ash marked this pull request as ready for review October 14, 2024 14:53
@ba1ash ba1ash requested a review from oliverguenther October 14, 2024 14:53
@oliverguenther oliverguenther force-pushed the feature/57677-oidc-ui branch 3 times, most recently from 1af6673 to 47d66f7 Compare October 15, 2024 12:50
@oliverguenther oliverguenther force-pushed the feature/57677-oidc-ui branch 4 times, most recently from 2abcc93 to 7d89e79 Compare October 16, 2024 09:21
@oliverguenther oliverguenther force-pushed the feature/57677-oidc-ui branch 5 times, most recently from 8764daa to 8b4c7d8 Compare October 18, 2024 09:29
machisuji
machisuji reviewed Oct 18, 2024
View reviewed changes
app/views/admin/settings/authentication_settings/show.html.erb
<fieldset class="form--fieldset">
<legend class="form--fieldset-legend"><%= I18n.t(:'settings.authentication.single_sign_on') %></legend>
<div class="form--field">
<% providers = AuthProvider
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These 6 lines should really go into a helper and not live in a template.

machisuji
machisuji reviewed Oct 18, 2024
View reviewed changes
modules/openid_connect/app/services/openid_connect/providers/set_attributes_service.rb
options
.select { |key, _| Saml::Provider.stored_attributes[:options].include?(key.to_s) }
.each do |key, value|
model.public_send(:"#{key}=", value)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only thing necessary for the triumph of evil is for good men to do nothing.

I have to at least denounce this indentation for the record.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤷‍♂️

oliverguenther and others added 24 commits October 21, 2024 13:03
@oliverguenther
Extend spec to use absolute URL
7c873eb
@oliverguenther
Feature spec
6fe5456
@oliverguenther
Contract specs
7b8bbee
@oliverguenther
Config mapper spec
fc4908c
@oliverguenther
Service specs
2f3e7da
@oliverguenther
Add claims
524a459
@oliverguenther
Remove metadata_url from discoverable attribute check
dcc293c 
It is not relevant for the configured? check
@oliverguenther
Allow path based attributes after all
3312cc9
@oliverguenther
Fix generation of provider classes from new config
718d934
@oliverguenther
Skip metadata check for built-in
d0390a2 
otherwise they will appear incomplete, even though they are complete
@oliverguenther
Remove unused providers helper
46eb11a
@oliverguenther
Remove state lambda
d5987fa 
It is defined in the omnaiuth gem already (however with different bits)
@oliverguenther
Set default issuer
0959dca
@oliverguenther
Allow setting omniauth direct login provider to the new auth providers
15dcc76
@oliverguenther
Show delete warning for deleting SSO providers (#16981)
7989cdb
@oliverguenther
Parse tenant from previous config
5bb581a
@oliverguenther
Parse limit_self_registration
343063a
@oliverguenther
Also map host
e9ef120
@oliverguenther
Fix and add test for self-registration
32d4da1
@oliverguenther
Re-enable custom attribute mapping spec
65fb080
@oliverguenther
Add post_logout_redirect_uri
0d15a67
@oliverguenther
Allow admin mapping
32afae1
@oliverguenther
Add migration spec
98e9d57
@oliverguenther
Better option mapping
6ac6af4
machisuji
machisuji reviewed Oct 21, 2024
View reviewed changes
modules/openid_connect/spec/migration/migrate_oidc_settings_to_providers_spec.rb
require "spec_helper"

require Rails.root.join("modules/openid_connect/db/migrate/20240829140616_migrate_oidc_settings_to_providers.rb")
RSpec.describe MigrateOidcSettingsToProviders, type: :model do
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

<3

machisuji
machisuji approved these changes Oct 21, 2024
View reviewed changes
Copy link
Member

@machisuji machisuji left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 🙏

@oliverguenther oliverguenther merged commit 8bb6775 into dev Oct 22, 2024
11 of 12 checks passed
@oliverguenther oliverguenther deleted the feature/57677-oidc-ui branch October 22, 2024 12:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oliverguenther oliverguenther oliverguenther left review comments

@machisuji machisuji machisuji approved these changes

Assignees
No one assigned
Labels
feature needs review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ba1ash @machisuji @oliverguenther